Setting up access to an Amazon S3 bucket
You identify the Amazon S3 bucket, then you give the snapshot permission to access it.
Topics
Identifying the Amazon S3 bucket for export
Identify the Amazon S3 bucket to export the DB snapshot to. Use an existing S3 bucket or create a new S3 bucket.
Note
The S3 bucket to export to must be in the same Amazon Region as the snapshot.
For more information about working with Amazon S3 buckets, see the following in the Amazon Simple Storage Service User Guide:
Providing access to an Amazon S3 bucket using an IAM role
Before you export DB snapshot data to Amazon S3, give the snapshot export tasks write-access permission to the Amazon S3 bucket.
To grant this permission, create an IAM policy that provides access to the bucket, then create an IAM role and attach the policy to the role. Later, you can assign the IAM role to your snapshot export task.
Important
If you plan to use the Amazon Web Services Management Console to export your snapshot, you can choose to create the IAM policy and the role automatically when you export the snapshot. For instructions, see Creating snapshot export tasks.
To give DB snapshot tasks access to Amazon S3
-
Create an IAM policy. This policy provides the bucket and object permissions that allow your snapshot export task to access Amazon S3.
In the policy, include the following required actions to allow the transfer of files from Amazon Aurora to an S3 bucket:
-
s3:PutObject* -
s3:GetObject* -
s3:ListBucket -
s3:DeleteObject* -
s3:GetBucketLocation
In the policy, include the following resources to identify the S3 bucket and objects in the bucket. The following list of resources shows the Amazon Resource Name (ARN) format for accessing Amazon S3.
-
arn:aws-cn:s3:::amzn-s3-demo-bucket -
arn:aws-cn:s3:::amzn-s3-demo-bucket/*
For more information on creating an IAM policy for Amazon Aurora, see Creating and using an IAM policy for IAM database access. See also Tutorial: Create and attach your first customer managed policy in the IAM User Guide.
The following Amazon CLI command creates an IAM policy named
ExportPolicywith these options. It grants access to a bucket namedamzn-s3-demo-bucket.Note
After you create the policy, note the ARN of the policy. You need the ARN for a subsequent step when you attach the policy to an IAM role.
aws iam create-policy --policy-name ExportPolicy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "ExportPolicy", "Effect": "Allow", "Action": [ "s3:PutObject*", "s3:ListBucket", "s3:GetObject*", "s3:DeleteObject*", "s3:GetBucketLocation" ], "Resource": [ "arn:aws-cn:s3:::amzn-s3-demo-bucket", "arn:aws-cn:s3:::amzn-s3-demo-bucket/*" ] } ] }' -
-
Create an IAM role, so that Aurora can assume this IAM role on your behalf to access your Amazon S3 buckets. For more information, see Creating a role to delegate permissions to an IAM user in the IAM User Guide.
The following example shows using the Amazon CLI command to create a role named
rds-s3-export-role.aws iam create-role --role-name rds-s3-export-role --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "export.rds.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' -
Attach the IAM policy that you created to the IAM role that you created.
The following Amazon CLI command attaches the policy created earlier to the role named
rds-s3-export-role. Replaceyour-policy-arnaws iam attach-role-policy --policy-arnyour-policy-arn--role-name rds-s3-export-role
Using a cross-account Amazon S3 bucket
You can use Amazon S3 buckets across Amazon accounts. To use a cross-account bucket, add a bucket policy to allow access to the IAM role that you're using for the S3 exports. For more information, see Example 2: Bucket owner granting cross-account bucket permissions.
-
Attach a bucket policy to your bucket, as shown in the following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::123456789012:role/Admin" }, "Action": [ "s3:PutObject*", "s3:ListBucket", "s3:GetObject*", "s3:DeleteObject*", "s3:GetBucketLocation" ], "Resource": [ "arn:aws-cn:s3:::amzn-s3-demo-destination-bucket", "arn:aws-cn:s3:::amzn-s3-demo-destination-bucket/*" ] } ] }
Using a cross-account Amazon KMS key
You can use a cross-account Amazon KMS key to encrypt Amazon S3 exports. First, you add a key policy to the local account, then you add IAM policies in the external account. For more information, see Allowing users in other accounts to use a KMS key.
To use a cross-account KMS key
-
Add a key policy to the local account.
The following example gives
ExampleRoleandExampleUserin the external account 444455556666 permissions in the local account 123456789012.{ "Sid": "Allow an external account to use this KMS key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws-cn:iam::444455556666:role/ExampleRole", "arn:aws-cn:iam::444455556666:user/ExampleUser" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey", "kms:RetireGrant" ], "Resource": "*" } -
Add IAM policies to the external account.
The following example IAM policy allows the principal to use the KMS key in account 123456789012 for cryptographic operations. To give this permission to
ExampleRoleandExampleUserin account 444455556666, attach the policy to them in that account.{ "Sid": "Allow use of KMS key in account 123456789012", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey", "kms:RetireGrant" ], "Resource": "arn:aws-cn:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }